Skip to main content

Kirby CVE-2024-27087

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-02-26 security-advisories@github.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 26, 2024 - 17:15 nvd
MEDIUM 5.4

DescriptionNVD

Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As the "Custom" link type is meant to be flexible, it also allows the javascript: URL scheme. In some use cases this can be intended, but it can also be misused by attackers to execute arbitrary JavaScript code when a user or visitor clicks on a link that is generated from the contents of the link field. This vulnerability is patched in 4.1.1.

AnalysisAI

Kirby is a content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As the "Custom" link type is meant to be flexible, it also allows the javascript: URL scheme. In some use cases this can be intended, but it can also be misused by attackers to execute arbitrary JavaScript code when a user or visitor clicks on a link that is generated from the contents of the link field. This vulnerability is patched in 4.1.1. Affected products include: Getkirby Kirby.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Kirby

View all
CVE-2024-26483 HIGH POC
8.8 Feb 22

An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbit

CVE-2024-26482 HIGH POC
7.1 Feb 22

An HTML injection vulnerability exists in the Edit Content Layout module of Kirby CMS v4.1.0. Rated high severity (CVSS

CVE-2025-30159 MEDIUM POC
6.3 May 13

Kirby is an open-source content management system. Rated medium severity (CVSS 6.3), this vulnerability is remotely expl

CVE-2024-26484 MEDIUM POC
6.1 Feb 22

A stored cross-site scripting (XSS) vulnerability in the Edit Content Layout module of Kirby CMS v4.1.0 allows attackers

CVE-2018-16627 MEDIUM POC
6.1 Dec 20

panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. Rated medium severity (CVSS

CVE-2023-38490 CRITICAL
10.0 Jul 27

Kirby is a content management system. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, n

CVE-2021-29460 MEDIUM POC
5.4 Apr 27

Kirby is an open source CMS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack co

CVE-2018-16628 MEDIUM POC
5.4 Dec 04

panel/login in Kirby v2.5.12 allows XSS via a blog name. Rated medium severity (CVSS 5.4), this vulnerability is remotel

CVE-2020-26255 CRITICAL
9.1 Dec 08

Kirby is a CMS. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. T

CVE-2023-38488 HIGH
8.8 Jul 27

Kirby is a content management system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low at

CVE-2018-16630 MEDIUM POC
4.8 Dec 28

Kirby v2.5.12 allows XSS by using the "site files" Add option to upload an SVG file. Rated medium severity (CVSS 4.8), t

CVE-2024-26481 MEDIUM POC
4.7 Feb 22

Kirby CMS v4.1.0 was discovered to contain a reflected self-XSS vulnerability via the URL parameter. Rated medium severi

Share

CVE-2024-27087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy